This paper introduces significant improvements over the existing cryptanalysis approaches on Salsa20 and ChaCha stream ciphers. For the first time, we reduced the attack complexity on Salsa20/8 to the lowest possible margin. We introduced an attack on ChaCha7.25. It is the first attack of its type on ChaCha7.25/20. In our approach, we studied differential cryptanalysis of the Salsa20 and ChaCha stream ciphers based on a comprehensive analysis of probabilistic neutral bits (PNBs). The existing differential cryptanalysis approaches on Salsa20 and ChaCha stream ciphers first study the differential bias at specific input and output differential positions and then search for probabilistic neutral bits. However, the differential bias and the set of PNBs obtained in this method are not always the ideal combination to conduct the attack against the ciphers. The researchers have not focused on the comprehensive analysis of the probabilistic neutrality measure of all key bits concerning all possible output difference positions at all possible internal rounds of Salsa20 and ChaCha stream ciphers. Moreover, the relationship between the neutrality measure and the number of inverse quarter rounds has not been scrutinized yet. To address these study gaps, we study the differential cryptanalysis based on the comprehensive analysis of probabilistic neutral bits on the reduced-round Salsa20 and ChaCha. At first, we comprehensively analyze the neutrality measure of 256 key bits positions. Afterward, we select the output difference bit position with the best average neutrality measure and look for the corresponding input differential with the best differential bias. Considering all aspects, we present an attack on Salsa20/8 with a time complexity of 2241.62 and data complexity of 231.5, which is the best-known single bit differential attack on Salsa20/8 and then, we introduced an attack on ChaCha7.25 rounds with a time complexity of 2254.011 and data complexity of 251.81.

The recent decision by the National Institute of Standards and Technology (NIST) to standardize lattice-based cryptography has further increased the demand for security analysis. The Ring-Learning with Error (Ring-LWE) problem is a mathematical problem that constitutes such lattice cryptosystems. It has many algebraic properties because it is considered in the ring of integers, R, of a number field, K. These algebraic properties make the Ring-LWE based schemes efficient, although some of them are also used for attacks. When the modulus, q, is unramified in K, it is known that the Ring-LWE problem, to determine the secret information s ∈ R/qR, can be solved by determining s (mod q) ∈ Fqf for all prime ideals q lying over q. The χ2-attack determines s (mod q) ∈Fqf using chi-square tests over R/q ≅ Fqf. The χ2-attack is improved in the special case where the residue degree f is two, which is called the two-residue-degree χ2-attack. In this paper, we extend the two-residue-degree χ2-attack to the attack that works efficiently for any residue degree. As a result, the attack time against a vulnerable field using our proposed attack with parameter (q,f)=(67, 3) was 129 seconds on a standard PC. We also evaluate the vulnerability of the two-power cyclotomic fields.

WPA is the security protocol for IEEE 802.11 wireless networks standardized as a substitute for WEP in 2003, and uses RC4 stream cipher for encryption. It improved a 16-byte RC4 key generation procedure, which is known as TKIP, from that in WEP. One of the remarkable features in TKIP is that the first 3-byte RC4 key is derived from the public parameter IV, and an analysis using this feature has been reported by Sen Gupta et al. at FSE 2014. They focused on correlations between the keystream bytes and the known RC4 key bytes in WPA, which are called key correlations or linear correlations, and improved the existing plaintext recovery attack using their discovered correlations. No study, however, has focused on such correlations including the internal states in WPA. In this paper, we investigated new linear correlations including unknown internal state variables in both generic RC4 and WPA. From the result, we can successfully discover various new linear correlations, and prove some correlations theoretically.

A cryptographic hash is an important tool in the area of a modern cryptography. It comprises a compression function, where the compression function can be built by a scratch or blockcipher. There are some familiar schemes of blockcipher compression function such as Weimar, Hirose, Tandem, Abreast, Nandi, ISA-09. Interestingly, the security proof of all the mentioned schemes are based on the ideal cipher model (ICM), which depends on ideal environment. Therefore, it is desired to use such a proof technique model, which is close to the real world such as weak cipher model (WCM). Hence, we proposed an (n, 2n) blockcipher compression function, which is secure under the ideal cipher model, weak cipher model and extended weak cipher model (ext.WCM). Additionally, the majority of the existing schemes need multiple key schedules, where the proposed scheme and the Hirose-DM follow single key scheduling property. The efficiency-rate of our scheme is r=1/2. Moreover, the number of blockcipher call of this scheme is 2 and it runs in parallel.

The χ2-attack was originally proposed by Knudsen and Meier. This attack is one of the most effective attacks for RC6. The χ2-attack can be used for both distinguishing attacks and for key recovery attacks. Although, up to the present, theoretical analysis of χ2-attacks, especially the relation between a distinguishing attack and a key recovery attack, has not been discussed, the security against key recovery attacks has been often discussed by the results of distinguishing attacks. In this paper, we investigate the theoretical relation between the distinguishing attack and the key recovery attack, and prove one theorem to evaluate the exact security against the key recovery attacks by using the results of the distinguishing attack. Furthermore we propose two key recovery attacks against RC5-64 and implement them. Our best key recovery attack can analyze RC5-64 with 16 rounds by using 2125.23 plaintexts with a success probability of 30%. This result works faster than exhaustive key search. As far as the authors know, this is the best result of known plaintext attacks to RC5-64. We also apply our theory on our key recovery attacks and demonstrate the validity.

The RC4 stream cipher is widely used including WEP and WPA, which are the security protocols for IEEE 802.11 wireless standard. WPA improved a construction of the RC4 key setting known as TKIP to avoid the known WEP attacks. The first 3-byte RC4 keys generated by IV in WPA are known since IV can be obtained by observing packets. The weaknesses in TKIP using the known IV were reported by Sen Gupta et al. at FSE 2014 and by Ito and Miyaji at FSE 2015. Both showed that TKIP induces many RC4 key correlations including the keystream bytes or the unknown internal states. Ideally TKIP should be constructed in such a way that it can keep the security level of generic RC4. In the first part of this paper, we will provide newly theoretical proofs of 17 correlations remain unproven in our previous work theoretically. Our theoretical analysis can make clear how TKIP induces biases of internal states in generic RC4. In the second part of this paper, we will further provide a refined construction of the RC4 key setting. As a result, we can reduce the number of correlations in the refined construction by about 70% in comparison with that in the original setting.

Koblitz and Miller proposed a method by which the group of points on an elliptic curve over a finite field can be used for the public key cryptosystems instead of a finite field. To realize signature or identification schemes by a smart card, we need less data size stored in a smart card and less computation amount by it. In this paper, we show how to construct such elliptic curves while keeping security high.

An English auction is the most familiar type of auctions. Generally, an electronic auction has mainly two entities, the registration manager (RM) who treats the registration of bidders, and the auction manager (AM) who holds auctions. Before starting an auction, a bidder who wants to participate in English auction is registered to RM with her/his information. An electronic English auction protocol should satisfy the following nine properties, (a) Anonymity, (b) Traceability, (c) No framing, (d) Unforgeability, (e) Fairness, (f) Verifiability, (g) Unlinkability among plural auctions, (h) Linkability in an auction, and (i) Efficiency of bidding. Furthermore from the practical point of view we add two properties (j) Easy revocation and (k) One-time registration. A group signature is adapted to an English auction in order to satisfy (a), (b), and (f). However such a direct adoption suffers from the most critical drawback of efficiency in group signatures. In this paper we propose more realistic electronic English auction scheme, which satisfies all of these properties without using a group signature. Notable features of our scheme are: (1) both of bidding and verification of bids are done quite efficiently by introducing a bulletin board, (2) both properties (j) Easy revocation and (k) One-time registration are satisfied.

RC4 is the stream cipher proposed by Rivest in 1987, which is widely used in a number of commercial products because of its simplicity and substantial security. RC4 exploits shuffle-exchange paradigm, which uses a permutation S. Many attacks have been reported so far. No study, however, has focused on correlations in the Pseudo-Random Generation (PRGA) between two permutations S and S' with some differences, nevertheless such correlations are related to an inherent weakness of shuffle-exchange-type PRGA. In this paper, we investigate the correlations between S and S' with some differences in the initial round. We show that correlations between S and S' remain before "i" is in the position where the nonzero-bit difference exists in the initial round, and that the correlations remain with non negligible probability even after "i" passed by the position. This means that the same correlations between S and S' will be observed after the 255-th round. This reveals an inherent weakness of shuffle-exchange-type PRGA.

In 1990, Menezes, Okamoto and Vanstone proposed a method that reduces EDLP to DLP, which gave an impact on the security of cryptosystems based on EDLP. But this reducing is valid only when Weil pairing can be defined over the m-torsion group which includes the base point of EDLP. If an elliptic curve is ordinary, there exists EDLP to which we cannot apply the reducing. In this paper, we investigate the condition for which this reducing is invalid.

Multisignature scheme realizes that plural users generate the signature on a message, and that the signature is verified. Various studies on multisignature have been proposed. They are classified into two types: RSA-based multisignature, and discrete logarithm problem (DLP) based multisignature, all of which assume that a message is fixed beforehand. In a sense, these schemes do not have a feature of message flexibility. Furthermore all schemes which satisfy with order verifiability designate order of signers beforehand. Therefore these protocols have a feature of order verifiability but not order flexibility. For a practical purpose of circulating messages soundly through Internet, a multisignature scheme with message flexibility, order flexibility and order verifiability should be required. However, unfortunately, all previous multisignature do not realize these features. In this paper, we propose a general model of multisignature schemes with flexibility and verifiability. We also present two practical schemes based on DLP based message recover signature and RSA signature, respectively.

Software obfuscation is a promising approach to protect intellectual property rights and secret information of software in untrusted environments. Unfortunately previous software obfuscation techniques share a major drawback that they do not have a theoretical basis and thus it is unclear how effective they are. Therefore we propose new software obfuscation techniques in this paper. The techniques are based on the difficulty of interprocedural analysis of software programs. The essence of our obfuscation techniques is a new complexity problem to precisely determine the address a function pointer points to in the presence of arrays of function pointers. We show that the problem is NP-hard and the fact provides a theoretical basis for our obfuscation techniques. Furthermore, we have already implemented a prototype tool that obfuscates C programs according to our proposed techniques and in this paper we describe the implementation and discuss the experiments results.

Knudsen and Meier applied the χ2-attack to RC6. The χ2-attack recovers a key by using high correlations measured by χ2-value. Up to the present, the success probability of any χ2-attack has not been evaluated theoretically without using experimental results. In this paper, we discuss the success probability of χ2-attack and give the theorem that evaluates the success probability without using any experimental result, for the first time. We make sure the accuracy of our theorem by demonstrating it on both 4-round RC6 without post-whitening and 4-round RC6-8. We also evaluate the security of RC6 theoretically and show that a variant of the χ2-attack is faster than an exhaustive key search for the 192-bit-key and 256-bit-key RC6 with up to 16 rounds. As a result, we succeed in answering such an open question that a variant of the χ2-attack can be used to attack RC6 with 16 or more rounds.

Elliptic curve cryptosystems are based on the elliptic curve discrete logarithm problem (ECDLP). If elliptic curve cryptosystems avoid FR-reduction and anomalous elliptic curve over Fq, then with current knowledge we can construct elliptic curve cryptosystems over a smaller definition field. ECDLP has an interesting property that the security deeply depends on elliptic curve traces rather than definition fields, which does not occur in the case of the discrete logarithm problem (DLP). Therefore it is important to characterize elliptic curve traces explicitly from the security point of view. As for FR-reduction, supersingular elliptic curves or elliptic curve E/Fq with trace 2 have been reported to be vulnerable. However unfortunately these have been only results that characterize elliptic curve traces explicitly for FR- and MOV-reductions. More importantly, the secure trace against FR-reduction has not been reported at all. Elliptic curves with the secure trace means that the reduced extension degree is always higher than a certain level. In this paper, we aim at characterizing elliptic curve traces by FR-reduction and investigate explicit conditions of traces vulnerable or secure against FR-reduction. We show new explicit conditions of elliptic curve traces for FR-reduction. We also present algorithms to construct such elliptic curves, which have relation to famous number theory problems.

This paper presents new key correlations of the keystream bytes generated from RC4 and their application to plaintext recovery on WPA-TKIP. We first observe new key correlations between two bytes of the RC4 key pairs and a keystream byte in each round, and provide their proofs. We refer to these correlations as iterated RC4 key correlations since two bytes of the RC4 key pairs are iterated every 16 rounds. We then extend the existing attacks by Isobe et al. at FSE 2013 and AlFardan et al. at USENIX Security 2013, 0and finally propose an efficient attack on WPA-TKIP. We refer to the proposed attack as chosen plaintext recovery attack (CPRA) since it chooses the best approach for each byte from a variety of the existing attacks. In order to recover the first 257 bytes of a plaintext on WPA-TKIP with success probability of at least 90%, CPRA requires approximately 230 ciphertexts, which are approximately half the number of ciphertexts for the existing attack by Paterson et al. at FSE 2014.

Time-sequence data is high dimensional and contains a lot of information, which can be utilized in various fields, such as insurance, finance, and advertising. Personal data including time-sequence data is converted to anonymized datasets, which need to strike a balance between both privacy and utility. In this paper, we consider low-rank matrix factorization as one of anonymization methods and evaluate its efficiency. We convert time-sequence datasets to matrices and evaluate both privacy and utility. The record IDs in time-sequence data are changed at regular intervals to reduce re-identification risk. However, since individuals tend to behave in a similar fashion over periods of time, there remains a risk of record linkage even if record IDs are different. Hence, we evaluate the re-identification and linkage risks as privacy risks of time-sequence data. Our experimental results show that matrix factorization is a viable anonymization method and it can achieve better utility than existing anonymization methods.